IT Security in SMBs

Ensuring IT Security in Small- to Medium-Sized Businesses | vcfo

This article was co-authored by Mike Wilfley, vcfo Chief Operating Officer and Executive Vice President, and Shane Gronniger, CEO for GCS Technologies.

Ensuring IT Security in Small- to Medium-Sized Businesses

A decade ago, dealing with spam, avoiding worms and viruses, and keeping inappropriate images and websites out of the office environment are what held the attention of organizations and their IT departments when it came to cybersecurity. Implementing basic protective measures and content filters to protect the organization from bad actors was then a relatively minor check-the-box exercise funded in one’s operational budget.

Today, the range and complexity of cyber threats as well as concerns about their impact have grown exponentially. Because organizations didn’t have the runway, teams, and other elements in place to manage the rise of work-from-home models and cloud adoption in a fully controlled manner, widespread vulnerabilities have been introduced. Fortunately, advances in cloud modernization have spawned a new era of tools to better protect organizations. The challenge is that it’s hard for most small- to medium-sized organizations to grasp and implement these measures when their primary IT focus is day-to-day attention to core systems and end users.

While enterprise-level organizations with deep pockets can devote entire teams to protecting against threats, small- to medium-sized businesses (SMBs) are compelled to take a different path. Here, we take a look at today’s IT risk environment for SMBs, as well as the tools, processes, and services that one organization (vcfo) counts on to ensure their systems and data remain secure.

Establishing a Security Baseline

Years ago, security concerns heightened for vcfo when a third-party hosting platform for an accounting application some of the team used was encrypted and therefore inaccessible to the team. Although it did not occur on any vcfo system or platform, and despite the protections vcfo had in place at the time, the attack impacted operations for nearly a week. For CFOs and other leaders, instances like these are often what pushes concerns to a point that warrants a thorough review of how their organization views and manages these threats. The first step? Truly understanding the current state of vulnerabilities and gaps across the organization.

To understand the state of security and areas that needed shoring up, vcfo turned to GCS Technologies, a managed IT services provider that delivers enterprise-level security to SMBs. As they do with other organizations, GCS undertook a diagnostic dive into vcfo’s systems and related processes and then delivered a report that detailed areas and degrees of vulnerability which set the stage for what to do next.

Planning and Prioritizing IT Security Improvement

The range of issues that typically come to light in security audits and reviews aren’t solvable in one fell swoop. Achieving a level of security that meets an organization’s tolerance for risk takes time because virtually every aspect of the business is involved – budgets, people, processes, systems, and more. At vcfo, achieving the level of security envisioned following the security audit took considerable time.

Armed with initial insights into where vulnerabilities and gaps lie, leaders can then ask questions that will help guide them on where to start. Where are we most vulnerable? What can we get done quickly? What does the relationship between “resources required” and “impact expected” for each recommendation look like? From there, a plan can be developed to incorporate the needed measures sensibly. Achieving IT security isn’t a one-and-done exercise either. Maintaining the level of security needed to effectively manage risks requires ongoing effort.

Many SMBs also find it hard to know which tools to choose and how to connect them, which is where an outside organization like GCS can help. GCS is a Microsoft Office 365 shop because the overwhelming majority of the world’s businesses use it to some degree, and because Microsoft has become a security leader in recent years, developing powerful tools that GCS and the SMBs it serves use to manage and detect security issues.

Working the Plan and Implementing Controls

Just as organizations vary in their knowledge and understanding of security issues, so too do the employees that comprise them. In most cases, companies now have people logging in from different locations and devices each day. As such, companies must understand the security posture of those devices, what data are they accessing, and where that data is going, not to mention the cloud applications and services they are interacting with. This understanding helps to inform policies and other protective measures.

For example, vcfo removed the ability for employees to log in to company systems from outside the U.S., unless the security team was notified. Identity protection, whether for a company-issued or personal device, is a foundational element of IT security as username and password credentials act as keys to the company’s kingdom. Geo-blocking is indeed an effective tactic, but not a cure-all. Bad actors also reside in the U.S. and those in other countries can sometimes manipulate their location. Thankfully, the latest security tools can detect that.

Endpoints (the range of devices that users use to connect to company systems) create the most vulnerability. This is why it is important to educate users on the range of risks they may encounter and how to approach day-to-day device usage. One way vcfo does this is by periodically conducting phishing campaigns with its employees. In these campaigns, GCS deploys a seemingly safe-looking email from what appears to be an unknown sender to see whether people will click on the link. If one or more does, it serves as a learning opportunity. If no one does, it serves as an opportunity to celebrate the security-mindedness of the employees and to reinforce vigilance.

Budgeting for IT Security and Empowering People

Budgeting for IT security is a challenge. Generally, budgeting for IT security consists of three buckets of expenses. Bucket one addresses needed subscriptions from providers like Microsoft and others for the tools that will enable continuous monitoring of one’s IT environment. These tools are also continuously updated as new threats and improved measures for protecting against them come about.

Bucket two of IT security expenses focuses on employee education. This includes exercises like the phishing campaign described above, as well as ongoing education that highlights areas of vulnerability and new attacks and threats that are being seen in other organizations. It’s difficult to overstate how important the education of end users is to one’s security plan. In essence, these users have to know when not to push the “red button.”

Bucket three of IT security expenses is for either bringing the expertise on staff or retaining expertise from an external Managed Services Provider (like GCS Technologies) to vigilantly tap into the different monitoring tools, advise the organization on newly arising threats, report on current activity and areas of vulnerability, and provide needed support should someone click on a link or open an attachment they shouldn’t have. One can think of this bucket as a security-team-as-a-service – one that brings in the tools, people, and processes needed to augment an organization’s internal IT function to protect against threats and instill an effective security posture.

Embracing and Addressing IT Security Vulnerability

Fortunately, few organizations now think that IT security issues will not affect them. Most understand that there are foundational IT security controls and common sense measures that should be a part of every organization. Every organization is different, however, so what’s needed beyond these elements is also different. The challenge often lies in finding the proper balance between one’s tolerance for risk and the time, expense, and energy required to manage that risk. Organizations like vcfo and GCS Technologies can help organizations understand, evaluate, and prioritize these variables to determine what their tolerance really is and what their approach should be.

Achieving and maintaining a strong security posture helps organizations avoid the significant adverse impacts that can stem from cyber threats and attacks. A strong security posture also gives customers the confidence that their expectations of safely conducting business will be met and that their protection is important to a company. Similarly, employees feel valued when an organization prioritizes their education and shows that they are looking out for each individual’s wellbeing at all times.


Request a Free Consultation from a vcfo expert who can help you assess risk management in your business. We’ve helped more than 5,000 businesses in our 25 years and would love to share how we can help.

Interested in speaking with a Managed IT Services provider who can help your organization establish a security baseline and put the needed tools and processes in place? Schedule a call with GCS Technologies.